Reverse engineering

Tracing the Crimeware Origins by Reversing Injected Code

November 15, 2010 by Giuseppe Bonfa

Part 1: Introduction and De-Obfuscating and Reversing the User-Mode Agent Dropper
Part 2: Reverse Engineering the Kernel-Mode Device Driver Stealth Rootkit
Part 3: Reverse Engineering the Kernel-Mode Device Driver Process Injection Rootkit
Part 4:Tracing the Crimeware Origins by Reversing the Injected Code

In this final part we will trace the origins of the ZeroAccess rootkit. We will discover that the purpose of this rootkit is to set up a stealthy, undetectable and un-removable platform to deliver malicious software to victim computers. We will also see that ZeroAccess is being currently used to deliver FakeAntivirus crimeware applications that trick users into paying $70 to remove the antivirus. It could be used to delivery any malicious application, such as one that steals bank and credit card information in the future. Further analysis and network forensics supports that ZeroAccess is being hosted and originates from the Ecatel Network, which is controlled by the cybercrime syndicate RBN (Russian Business Network).

Let’s take a look at the max++ DLL. It is injected into other processes address space by the kernel mode driver reversed in Part 3. Here are the hashes for this DLL:

FileSize: 36.00 KB (36864 bytes)

MD5: 4CE2F6BA808954FA7B1257D4C754D5B0

SHA-1: E74EA961ADCA942623AE721283D33F6907A7C86D

No VersionInfo Available.

Resource: “TYPELIB”.

max++.00.x86.dll does not have an ET ( Export Table ) entire code is contained into DllEntryPoint() function.

This malicious DLL is injected via APC and ZwAllocateVirtualMemory by the second installed driver. Recall that this driver finds newly loaded processes via PsSetLoadImageNotifyRoutine.

This DLL can be debugged by using OllyDbg 1.10 LoadDLL utility. As this component is the just a small feature of ZeroAccess, we won’t go into as much detail on it as we did with the two drivers and the user-mode agent.

The above ZwTestAlert function tests whether the current thread has been alerted (and clears the alerted flag). It also enables the delivery of queued user APCs. NextDisableThreadLibraryCalls disables the DLL_THREAD_ATTACH and DLL_THREAD_DETACH notifications for the DLL. By disabling the notifications, the DLL initialization code is not paged in because a thread is created or deleted, thus reducing the size of the application’s working code set. This use of DisableThreadLibraryCalls increases invisibility for the injected DLL.

The call EAX is placed inside a do-while that updates the value pointed by EAX in iteration. This involves in calling a different routine each time. Let’s look at the next code block:

We see the API call completed. A thread is created, and we can inspect it by reaching the StartAddress argument. This new thread will invoke a couple of calls that will talk to a Command and Control (C&C) server. The C&C server will issue requests to websites that contain code to install further malicious code to be executed on the victim’s machine.

From string analysis we can obtain some valuable information:

All these entries as you can see are placed into the hidden NTFS volume that was analyzed previously. There are also other interesting strings like:

registrymachineSoftwareMicrosoftInternet ExplorerMain{F9197A7E-CE10-458e-85F8-5B0CE6DF2BBE}

The CLSID encoding is of great help during malware forensics. It can be used to determine univocally malware type and version. A quick search show us that this CLSID belongs to Trojan-Ransom.Win32.Digitala.b which is a downloader Aagent.

The above code blocks are executed if fdwReason is satisfied. Otherwise execution flows to another block of code that essentially acts as a cleanup routine.

This injected DLL serves the purpose of generating web redirections to malicious websites that contain FakeAntivirus software. Fake antivirus software (a.k.a misleading applications or rogue antivirus) is big business nowadays with Symantec reporting 43 million installation attempts from over 250 distinct programs between July 1, 2009, to June 30, 2010. With fake AV software costing the victim anywhere from $30 to $100, this is a lucrative earner for criminals.

The malicious URLs are:


The IP address behind these domains is From we can see the following graph

AS29073 belongs to Ecatel Network which is a well known crimeware friendly ISP.

Ecatel is infamous for the massive hosting of malware and spambots, the most widely used IPs are:


Detailed information on Ecatel activities can be seen here:

Often Ecatel was involved into fakeAV campaigns, and ZeroAccess drives to fake software download. From we see a relation with the well-know cybercrime ring, RBN ( Russian Business Network ).

Posted: November 15, 2010
Articles Author
Giuseppe Bonfa
View Profile

Giuseppe is a security researcher for InfoSec Institute and a seasoned InfoSec professional in reverse-engineering and development with 10 years of experience under the Windows platforms. He is currently deeply focused on Malware Reversing (Hostile Code and Extreme Packers) especially Rootkit Technology and Windows Internals.

He has previously worked as Malware Analyst for Comodo Security Solutions as a member of the most known Reverse Engineering Teams and is currently a consultant for private customers in the field of Device Driver Development, Malware Analysis and Development of Custom Tools for Digital Forensics.

He collaborates with Malware Intelligence and Threat Investigation organizations and has even discovered vulnerabilities in PGP and Avast Antivirus Device Drivers.

As a technical author, Giuseppe has over 10 years of experience and hundreds of published pieces of research.

Notice: Undefined index: visitor_id12882 in /www/resourcesinfosecinstitute_601/public/wp-content/plugins/infosec-user-info/infosec-user-info.php on line 117